Skip to content

RedHook Returns with a Dangerous Upgrade#2502

Open
carlospolop wants to merge 1 commit into
masterfrom
update_RedHook_Returns_with_a_Dangerous_Upgrade_94f0a839ac5ac5aa
Open

RedHook Returns with a Dangerous Upgrade#2502
carlospolop wants to merge 1 commit into
masterfrom
update_RedHook_Returns_with_a_Dangerous_Upgrade_94f0a839ac5ac5aa

Conversation

@carlospolop

Copy link
Copy Markdown
Collaborator

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

  • Blog URL: https://group-ib.com/blog/redhook-android-rat-upgraded
  • Blog Title: RedHook Returns with a Dangerous Upgrade
  • Suggested Section: Mobile Pentesting > Android Applications Pentesting > Accessibility Services Abuse and Shizuku Privileged API; optionally cross-reference Android persistence and ADB/Wireless Debugging abuse

🎯 Content Summary

Overview

RedHook is an Android Remote Access Trojan (RAT) that combines social engineering, phishing, Accessibility-service abuse, ADB Wireless Debugging, and code heavily derived from the open-source Shizuku framework. After convincing a victim to sideload the APK and enable its Accessibility service, RedHook autonomously pairs an embedded ADB client with the infected device's own ADB daemon through 127.0.0.1. It then la...

🔧 Technical Details

Accessibility-assisted security configuration: Once an Android application has Accessibility access, it can inspect UI trees, simulate gestures and text entry, navigate Settings, and activate security-sensitive features. A malicious application can hide this automation behind a full-screen overlay, tap the build number seven times, enable Developer Options and Wireless Debugging, open pairing-code mode, and read the displayed pairing code without making the underlying Settings workflow visible to the victim.

Self-hosted ADB Wireless Debugging: Wireless Debugging allows an Android device to act as both ADB host and target. An embedded ADB client can pair with and connect to the same device's ADB daemon over the loopback interface 127.0.0.1. This removes the normal requirement for a computer or USB connection and turns a locally enabled debugging interface into an on-device route to shell uid 2000.

Borrowing shell identity through...

🤖 Agent Actions

Using deferred tool discovery to find the repo/file inspection tools needed for this HackTricks update.
The local exec tool requires a dedicated task-steps tool first, so I’m locating that specific tool now.
Initializing the required Chack task board now, then I’ll inspect the Android/mobile documentation files.
Applying a single-file update to the Shizuku page with the missing RedHook-style abuse chain, persistence caveats, and technical detection notes.
Done — I updated:

  • src/mobile-pentesting/android-app-pentesting/shizuku-privileged-api.md

Added concise technical coverage of:

  • Accessibility-assisted activation of Wireless Debugging
  • Self-hosted ADB pairing over 127.0.0.1
  • Malware reusing a Shizuku-style Binder helper under uid 2000
  • Reboot restoration of local ADB-backed privileges
  • Related persistence tricks (BIND_AUTO_CREATE, BOOT_COMPLETED, oom_score_adj, mlock(), MediaSession, WakeLock)
  • Technical detection/mitigation notes

I also added the Group-IB blog to the file’s ## References section and verified the final file structure.


This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

@carlospolop

Copy link
Copy Markdown
Collaborator Author

🔗 Additional Context

Original Blog Post: https://group-ib.com/blog/redhook-android-rat-upgraded

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting > Android Applications Pentesting > Accessibility Services Abuse and Shizuku Privileged API; optionally cross-reference Android persistence and ADB/Wireless Debugging abuse".

Repository Maintenance:

  • MD Files Formatting: 981 files processed

Review Notes:

  • This content was automatically processed and may require human review for accuracy
  • Check that the placement within the repository structure is appropriate
  • Verify that all technical details are correct and up-to-date
  • All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant